I think you will find that this has always been the case. When a
machine which is not a domain member tries to access a domain resource, the
domain controller queries the machine for its credentials. If the
workgroup/username/password exactly matches a valid
domain/username/password, the logon credentials are accepted by the domain
controller. The domain controller trusts the local machine logon
credentials.
"Frank" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
Hi All,
After testing I found that when a win2k local user account is having the
same logon name and password as a win2k domain user account (No matter
whether or not the win2k machine joins the domain), it then has the same
access right to the domain resources which are assigned permission to the
domain user account.
eg: Machine 1: win2k pro, workgroup, local user name: user1, pw: 123456
Machine 2: win2k domain controller with domain user account: user1, pw:
123456
when loggon locally to the win2k pro machine using credential user1,
123456, I can freely access any resource that the domain account user1 has
permssion.
This is indeed a security issue although the chance of such co-incidence is
small. By right, if user logon as local user, he/she should provide domain
user credentials when accessing domain resources.
This will not happen for 2 identical domain users accounts which exist in
two different domains. And I believe even for the win2k3 domain it is the
same.
Does anyone knows where to find the explanation for such an issue, is it by
design or a security hole?
Thanks
Frank
|
Similar Threads
Linear Mode
